December 2010

Stolen Armstrong Atlantic State University Drive Contains Nursing Student Information

Submitted by Adam Dodge on Fri, 2010-12-31 00:00

Quick Facts

Abstract
Armstrong Atlantic State University recently sent out notifications to former students following the theft of a hard drive. The drive, stolen from the university in early October, contained the names Social Security numbers of former nursing students who attended Armstrong before late 2006. According to Armstrong spokesperson Francisco Duque late 2006 was when Armstrong stopped using SSNs for student ID numbers and that storing this type of information on a portable storage device is against university policy. Armstrong Police Chief Wayne Wilcox said the theft looks like a crime of opportunity and noted other thefts had been reported. It is believed someone obtained a key to the building and used to to enter after the building was closed. Duque cited the time needed to determine the extent of the incident and find out what information was on the drive as the reason behind the seven week delay in sending out the notifications.

W-2 Information On Stolen Tulane Laptop

Submitted by Adam Dodge on Wed, 2010-12-29 00:00

Quick Facts

  • Date: 12/29/2010
  • Institution: Tulane University
  • Type of Incident: Theft
  • Number Affected: 10,000
  • Source: ESI
  • Abstract Source: WWL-TV

Abstract
Tulane University recently notified employees after a laptop containing tax information was stolen. The laptop, stolen on December 29, contained the W-2 information, names, Social Security Numbers, addresses and salary information on over 10,000 Tulane employees (including part-time and student employees) employed during 2010. The laptop was used to process tax records during Tulane’s winter break and was in a briefcase that was stolen from the locked car of an employee who was out of town. Tulane is offering 12 months of free credit monitoring to the affected individuals and is instructing individuals with questions to contact 504-865-5291.

[Update1]Saint Louis University Notifies Campus Following Network Breach

Submitted by Adam Dodge on Mon, 2010-12-20 00:00

Quick Facts

Abstract
Saint Louis University officials recently sent an email notification to all faculty, staff and students following a network breach. In the email, Vice President and CIO Tim Brooks states that an investigation into a network breach discovered that a system containing personal employee information such as names and Social Security numbers had been accessed without authorization. The breached system only contained information on employees that had been with the university for five or more years. Saint Louis University is working to contract a company to provide 12 months of free credit monitoring for the affected individuals and urged those concerned to monitor their credit reports.

Update1
In a January 31, 2011 notice, St. Louis University announced the results of the investigation launched after discovering unauthorized network access. The investigation found that some of the servers accessed without authorization contained the personally identifiable information on 12,000 current and former employees as well as the protected health information on 800 students. However, the investigation did not find any evidence that any of this information was accessed. More information on the breach can be found here.

File Containing 61,000 Stony Brook University Names, Usernames and University IDs Posted Online

Submitted by Adam Dodge on Sat, 2010-12-18 00:00

Quick Facts

Abstract
Stony Brook University is investigating how files containing student and faculty information ended up online. The file in question contained the names, usernames and University IDs of 61,101 students and faculty but did not contain any password or Social Security number information. The file was uploaded to sbuchat.com, a web site for “anonymous discussion and exchange of options of Stony Brook University students.” In an interview with the file-poster (who refused to be named), the file-poster compiled the file last May after discovering an exploit in a Stony Brook system that would allow someone to change passwords without knowing the original password. The exploit also allowed the file-poster to access a list of all registered faculty and students. According to Richard Reeder, Stony Brook’s CIO, two students did report the a problem like the one described by the file-poster and the flaw was fixed within a few hours. According to the file-poster, the original plan did not include posting the file publicly. However, after the sbuchat.com community demanded proof the list existed or be dismissed the file was posted in PDF and Excel formats.

Ohio State University Server Breach Affects 760,000

Submitted by Adam Dodge on Thu, 2010-12-16 00:00

Quick Facts

Abstract
Ohio State University began sending out notifications after a server containing personal information was breached. The server contained the names and Social Security numbers on 760,000 faculty, staff, students, applicants, contractors and consultants. OSU discovered the breach in October during a routine security review. In response, the server was quickly isolated and OSU hired two outside companies, Interhack and Stroz Freidburg, to help investigate the incident. Both companies found evidence that someone had gained unauthorized access but neither could find evidence that the personal information had been accessed. They companies did find evidence that hackers attempted to use the server to launch additional attacks against government agencies and business. OSU withheld notification until after the investigations were completed which did not occur until late November and early December. In the notification letters to the affected individuals, OSU is offering to pay for 12 months of credit monitoring. All told,OSU expects to spend $4 million to pay for forensic investigation and credit card monitoring. More information on the breach can be found at www.osu.edu/creditsafety/.

Special Thanks to Brett Bartow for letting ESI know about this incident. -Adam